Cast your net into the enterprise IT market today and you'll haul back a big catch of new DevOps security tools and features.

The arrival of these tools, along with a vendor merger around containers, indicate that a new wave of maturity around secure application deployment is headed for the ecosystem of IT shops, as industry watchers say tools tend to be a lagging indicator of where demand lies.

Download this free guide

PDF: Are you migrating to DevOps?

As DevOps is slowly taking over the IT landscape, its vital that IT pros understand it before jumping right into the movement. In this complimentary guide, discover an expert breakdown of how DevOps impacts day-to-day operations management in modern IT environments.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

"There has to be some sort of best practice or thought process that leads to the development of tools," said TJ Saotome, vice president of information technology and portfolio management for Dartmouth Research & Consulting in Boston. "I see tons of [tools] every day … but we're still at the early stage of the journey."

Most advanced DevOps security tools are used today by development organizations, and some by IT operations groups, according to Saotome.

"I don't see that whole workflow, or the whole inclusion of sales, marketing and support organizations quite yet," he said. For that to happen at enterprises, existing mature best practices based on service management frameworks such as ITIL must first be mapped onto the DevOps process.

Many fish in the DevOps sea

HashiCorp's Vault tool is one example of a product that doesn't necessarily boil the ocean and span the entire app delivery and feedback workflow, but nonetheless solves an important problem by automating the management of secrets such as passwords.

"When you're doing automation, it gets really tricky to work with passwords and tokens," said Dan MacDonald, architect and principal technical lead for a New York City agency that's working to adopt Agile development processes.

With Vault, individual microservices can get passwords without having to pass them in environmental variables as part of application code, which is "pretty much open to everybody," MacDonald explained. As a container starts up, a temporary token gets injected, which might be good for one use and have a time to live of five or 10 minutes. The container then uses the temporary token to contact Vault for the credentials it needs to use. If there's a problem or someone intercepts the token, it's only good for one use, so activity on the token can be tracked.

"It has a complete audit trail of access to the keys, which is very important," MacDonald said.

CoreOS Quay container security scanning tool and Docker's Security Scanning utility, released in May 2016, round out the picture for MacDonald's organization.

There has to be some sort of best practice or thought process that leads to the development of tools.
TJ SaotomeVP of information technology and portfolio management for Dartmouth Research & Consulting in Boston

When the application team builds images and puts them into the Docker Hub registry service, Quay runs an analysis of the binaries of everything that's installed to check for known threats. Docker Security Scanning sees all the changes to containers over time as new ones are spun up to replace the old ones -- if someone hacks into the system and adds a binary, it quickly becomes visible.

An emerging company, XebiaLabs Inc., is working to incorporate security features into its continuous delivery orchestration tool. While some of its governance features remain in the pilot phase, "they're one of the first [vendors] to really try and bring it all together," according to Saotome.

Bolstering enterprise container security

Adding to the activity around DevOps security tools is the recent acquisition of enterprise Kubernetes player Kismatic Inc. by private platform as a service (PaaS) vendor Apprenda Inc., aiming to help enterprises make the leap into container orchestration while fitting in with existing corporate security practices.

"If you're an enterprise looking at [Google] Kubernetes or Docker, [Apache] Mesos, any of those, they are too deep-down in the stack for you to actually deliver value," said Joe Emison, CTO and founder of BuildFax Inc., based in Asheville, N.C., which provides real estate property data to other businesses such as insurance companies. "You would still need what Apprenda does, which is coding and configuration and the ability to instantiate my environment -- those problems don't get solved with Docker or Kubernetes."

However, while enterprises stand to spend a healthy amount of money on things like on-premises PaaS in the short term, in the long run "it's very hard to see anybody but very large enterprises doing it," he said.

Beth Pariseau is senior news writer for TechTarget's Data Center and Virtualization Media Group. Write to her at bpariseau@techtarget.com or follow @PariseauTTon Twitter.

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy